You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
346 lines
12 KiB
346 lines
12 KiB
4 years ago
|
---
|
||
|
title: How To Encrypt Your Own Documents Using gpg
|
||
|
layout: post
|
||
|
author: tait
|
||
|
---
|
||
|
|
||
|
If you have ever wanted to garuntee the utmost security of your emails and documents, then this is the guide for you!
|
||
|
It should be noted that in some circles the tools used are more common than in others.
|
||
|
These are the everyday tools of many privacy advocates and computer nerds.
|
||
|
|
||
|
If you have never used Linux however, then the method of doing this will be rather unfamiliar.
|
||
|
This tutorial will be done on an [Arch Linux](https://archlinux.org/) machine,
|
||
|
but it should be the same on Ubuntu, Fedora, CentOS, Debian,
|
||
|
OpenBSD, FreeBSD, MacOSX, etc.
|
||
|
The only operating system that does not include these tools by default (or easily accessible) is Windows.
|
||
|
|
||
|
This tutorial makes heavy use of the terminal.
|
||
|
You have been warned.
|
||
|
|
||
|
*Let us...begin!*
|
||
|
|
||
|
## Glossary
|
||
|
|
||
|
* [**ASCII armour**](https://en.wikipedia.org/wiki/Binary-to-text_encoding#ASCII_armor) --- A way to encode **OpenPGP** documents so they are readable by humans. These files end in .asc
|
||
|
* **(Open)PGP** --- An open standard for encoding pulbic keys and encrypted documents.
|
||
|
* **GPG** --- GNUPrivacyGaurd is an implementation of **OpenPGP**. It is installed by default on most Linux distrobutions.
|
||
|
|
||
|
## Step 0: Setup
|
||
|
|
||
|
We will be using the utility `gpg` for this tutorial.
|
||
|
|
||
|
The other thing to note: The character '$' (dollar sign) is usually not typed when shown in a command.
|
||
|
It simply indicates that you do not need administrative privilages to run these commands.
|
||
|
|
||
|
Test to see if you get this output in your terminal.
|
||
|
|
||
|
<pre class="terminal">
|
||
|
$ gpg --version
|
||
|
|
||
|
gpg (GnuPG) 2.2.20
|
||
|
libgcrypt 1.8.5
|
||
|
Copyright (C) 2020 Free Software Foundation, Inc.
|
||
|
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
|
||
|
|
||
|
...
|
||
|
</pre>
|
||
|
|
||
|
If this is not successful look into how to install these tools on your system.
|
||
|
|
||
|
## Step 1: Get/Create A Public Key!
|
||
|
|
||
|
### Get Somebody Else's
|
||
|
Step one is having somebody to send your encrypted message to. Maybe this is a friend, a journalist, or a whistleblower.
|
||
|
|
||
|
To encrypt a document with somebody's public key, you need to first obtain it.
|
||
|
My public key is available [at this link](/public-key.asc), and you can use it to send me encrypted stuff.
|
||
|
|
||
|
If you are on a linux terminal, you can use the `curl` or `wget` command to download it.
|
||
|
|
||
|
wget:
|
||
|
<pre class="terminal">
|
||
|
$ wget https://tait.tech/public-key.asc
|
||
|
</pre>
|
||
|
|
||
|
Curl:
|
||
|
<pre class="terminal">
|
||
|
$ curl https://tait.tech/public-key.asc -o public-key.asc
|
||
|
</pre>
|
||
|
|
||
|
### Make Your Own (optional)
|
||
|
|
||
|
The following section is quite long,
|
||
|
so if you don't want to create your own keypair,
|
||
|
then feel free to skip to [Step #2](#step-2-import-public-key).
|
||
|
|
||
|
If you want to encrypt your own documents,
|
||
|
or you want others to be able to send you encrypted messages,
|
||
|
then you can create your own public/private key pair.
|
||
|
You can use these to encrypt your documents,
|
||
|
and you can send our public key to others so that they can securely communicate with yourself.
|
||
|
|
||
|
Run the following command in your terminal, and follow the steps I outline to get you started.
|
||
|
|
||
|
<pre class="terminal">
|
||
|
$ gpg --full-gen-key
|
||
|
</pre>
|
||
|
|
||
|
This will produce the following dialog:
|
||
|
|
||
|
<pre class="terminal">
|
||
|
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
|
||
|
This is free software: you are free to change and redistribute it.
|
||
|
There is NO WARRANTY, to the extent permitted by law.
|
||
|
|
||
|
Please select what kind of key you want:
|
||
|
(1) RSA and RSA (default)
|
||
|
(2) DSA and Elgamal
|
||
|
(3) DSA (sign only)
|
||
|
(4) RSA (sign only)
|
||
|
(14) Existing key from card
|
||
|
Your selection?
|
||
|
</pre>
|
||
|
|
||
|
Select the option `1`. You want two keys, both RSA.
|
||
|
|
||
|
Next we will select the key size:
|
||
|
<pre class="terminal">
|
||
|
RSA keys may be between 1024 and 4096 bits long.
|
||
|
What keysize do you want? (2048)
|
||
|
</pre>
|
||
|
|
||
|
Type the number 2048.
|
||
|
|
||
|
Next it will ask you how long you want the key to be valid.
|
||
|
|
||
|
<pre class="terminal">
|
||
|
Requested keysize is 2048 bits
|
||
|
Please specify how long the key should be valid.
|
||
|
0 = key does not expire
|
||
|
<n> = key expires in n days
|
||
|
<n>w = key expires in n weeks
|
||
|
<n>m = key expires in n months
|
||
|
<n>y = key expires in n years
|
||
|
Key is valid for? (0)
|
||
|
</pre>
|
||
|
|
||
|
Type the number 1. This will enable you time to test it,
|
||
|
but it will make the key expire within 24 hours so that if you accidentally
|
||
|
share your private key, or delete your VM and no longer have access to it, you will be fine.
|
||
|
|
||
|
It will ask your if you are sure about the expiry date.
|
||
|
|
||
|
<pre class="terminal">
|
||
|
Key expires at Tue Apr 7 02:24:23 2020 UTC
|
||
|
Is this correct? (y/N)
|
||
|
</pre>
|
||
|
|
||
|
Type `y` to confirm your choice.
|
||
|
|
||
|
Now `gpg` is going to ask you to create a user id to indetify this key.
|
||
|
Use some test data for now.
|
||
|
User input is in bold, feel free to follow along or to put your own test data in.
|
||
|
|
||
|
Once you are more comfortable with the tools,
|
||
|
then you can create a public/private keypair that you will keep for some time.
|
||
|
|
||
|
<pre class="terminal">
|
||
|
GnuPG needs to construct a user ID to identify your key.
|
||
|
|
||
|
Real name: <b>Mr. Tester</b>
|
||
|
Email address: <b>test@test.org</b>
|
||
|
Comment: <b>for testing only</b>
|
||
|
You selected this USER-ID:
|
||
|
"Mr. Tester (for testing only) <test@test.org>"
|
||
|
|
||
|
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? <b>O</b>
|
||
|
</pre>
|
||
|
|
||
|
It will then ask you for a password.
|
||
|
If you are simply using this for test purposes,
|
||
|
then you can feel free to set it to something like "test".
|
||
|
When create a long-term use pulbic key make sure to make the password *very* secure.
|
||
|
|
||
|
During the process of creating your key, `gpg` may warn you with this message:
|
||
|
|
||
|
<pre class="terminal">
|
||
|
We need to generate a lot of random bytes. It is a good idea to perform
|
||
|
some other action (type on the keyboard, move the mouse, utilize the
|
||
|
disks) during the prime generation; this gives the random number
|
||
|
generator a better chance to gain enough entropy.
|
||
|
</pre>
|
||
|
|
||
|
If this happens, feel free to smash your keyboard (lightly),
|
||
|
watch a YouTube video on the machine,
|
||
|
browse the web with [w3m](http://w3m.sourceforge.net/),
|
||
|
etc. until the key is generated.
|
||
|
|
||
|
You will know it is done when you see this message (or something similar):
|
||
|
|
||
|
<pre class="terminal">
|
||
|
gpg: key EACCC490291EA7CE marked as ultimately trusted
|
||
|
gpg: revocation certificate stored as '/home/tait/.config/gnupg/openpgp-revocs.d/FFA7D7525C6546983F1152D8EACCC490291EA7CE.rev'
|
||
|
public and secret key created and signed.
|
||
|
|
||
|
pub rsa2048 2020-04-06 [SC] [expires: 2020-04-07]
|
||
|
FFA7D7525C6546983F1152D8EACCC490291EA7CE
|
||
|
uid Mr. Tester (for testing only) <test@test.org>
|
||
|
sub rsa2048 2020-04-06 [E] [expires: 2020-04-07]
|
||
|
</pre>
|
||
|
|
||
|
Tada! You have your own public/private keypair!
|
||
|
|
||
|
Sharing a keypair that will expire soon is not a good idea,
|
||
|
however, if you are ready, then you can use this command to generate a public key file to share with others.
|
||
|
|
||
|
Feel free to substitute "Mr. Tester" for any other identifying part of your key.
|
||
|
Remember that to use the email, you must enclose it in < and >.
|
||
|
|
||
|
<pre class="terminal">
|
||
|
$ gpg --export --armour "Mr. Tester" > public-key.asc
|
||
|
</pre>
|
||
|
|
||
|
To use the email as the identifier:
|
||
|
<pre class="terminal">
|
||
|
$ gpg --export --armour "<test@test.org>" > public-key.asc
|
||
|
</pre>
|
||
|
|
||
|
## Step 2: Import Public Key
|
||
|
|
||
|
This list of keys that `gpg` keeps on tap so to speak, is called our "keyring".
|
||
|
Your will need to import a new public key to encrypt files with `gpg`.
|
||
|
|
||
|
If you already created your own public key, then this step is not necessary unless you want to also encrypt something for me :)
|
||
|
|
||
|
<figure>
|
||
|
<img src="/assets/img/keyring.jpg" alt="A keyring holding eight allen keys.">
|
||
|
<figcaption>
|
||
|
A keyring holding eight allen keys.
|
||
|
</figcaption>
|
||
|
</figure>
|
||
|
|
||
|
To import a public key to use for encrypting files, use the `--import` option of `gpg`. Like so:
|
||
|
|
||
|
<pre class="terminal">
|
||
|
$ gpg --import public-key.asc
|
||
|
gpg: key 64FB4E386953BEAD: public key "Tait Hoyem <tait.hoyem@protonmail.com>" imported
|
||
|
gpg: Total number processed: 1
|
||
|
gpg: imported: 1
|
||
|
</pre>
|
||
|
|
||
|
Now that we have imported a public key, we can make a message to send!
|
||
|
|
||
|
## Step 3: Have A Message To Encrypt
|
||
|
|
||
|
You can make a new file which holds some important, secret data.
|
||
|
Feel free to use a graphical editor if you have one, if not, `nano` works alright too.
|
||
|
|
||
|
<pre class="terminal">
|
||
|
Rules Of A Good Life:
|
||
|
|
||
|
1. Wash your hands!
|
||
|
2. Work hard!
|
||
|
3. Be firm.
|
||
|
5. Have good friends!
|
||
|
</pre>
|
||
|
|
||
|
Save this file as something like `test-pgp.txt`, and we'll use that name later.
|
||
|
|
||
|
## Step 4: Encrypt A Message
|
||
|
|
||
|
Now that we have a message to send and person to send to,
|
||
|
all we have to do is encrypt this message and it'll be on its merry way!
|
||
|
To do so, we must specify two new options to `gpg`.
|
||
|
|
||
|
The first is `--recipient`.
|
||
|
This tells `gpg` to encrypt using a certin public key that we have in our keyring.
|
||
|
You can use the person's name, email address, or the key's uid.
|
||
|
|
||
|
The second is `--encrypt`.
|
||
|
|
||
|
You will also specify the `--armour` option to use ASCII armoured files. Put this option after `--encrypt`, and put the file name after `--armour`. See below.
|
||
|
|
||
|
You can either use your own public key name to encrypt a document (allowng only you to decrypt it),
|
||
|
or you can use my public key that we imported earlier (allowing only me to decrypt it).
|
||
|
Either way works fine.
|
||
|
|
||
|
This is the big one!
|
||
|
|
||
|
<pre class="terminal">
|
||
|
$ gpg --recipient "Tait Hoyem" --encrypt --armour test-gpg.txt
|
||
|
</pre>
|
||
|
|
||
|
"But there is no output!" you might say!
|
||
|
Yes, that is because our new (encrypted) file has already been saved.
|
||
|
Let's look at it with cat.
|
||
|
|
||
|
<pre class="terminal">
|
||
|
$ cat test-gpg.txt.asc
|
||
|
-----BEGIN PGP MESSAGE-----
|
||
|
|
||
|
hQIMA2mJuYb8vkIlAQ/9FDmXJgW2vI7p9sznKvHhQk7uTZvoWC3hCeqHoO3BSElP
|
||
|
XR1BNAkJ+bykB30M+9u+XDyRtTwazjvNPmYfQnIh0Q+BQZigDWbEd1R47jbzm7Tu
|
||
|
0eZKKapgEidfecULtaECX1sR3qPt1m9oZjyUR1rzNd8tezZlCu2pjdNZrkta2Bdm
|
||
|
Hh1xDS43Bw7PMQqraJsHwqr0M1GLDbMzPes2ZU5y4jEmXZ0PZdJ7kgjR8dvhLBfi
|
||
|
MU+4kYnnemQEztXBOjKidhyOntKiLjenvD00tVHrOuQoWuWCHGiqR24qSwVjeb9G
|
||
|
079gqH1VWi3fk2cwFA9f3TLvJqUwatyE0Hcba0U1d2Voz/C9JEQjT6FHuaCqQL6b
|
||
|
p7B7m2DwpywFGJpAn6ksrEYqHaLVWiEGmdMmHYuHxMw8+cqoSwbYymCZTwMBAuJe
|
||
|
Pr1VO9uNo+Vj5r8IX7ACcSsrjf0XkVzfX6ySsPbyOlGXnwzWSOM3Dk2Z9MqDORbj
|
||
|
0/7vJTnDctPuc91Rlp3YnJlZKWMcNfPMKMtvpljd2XuVwub+C4vGWXa9XLbRXmJo
|
||
|
cnEFT6SB11AKjytE2Urt62CCrYjJPBneabxbCztnBs+vQSx7Fj0LK6v4Euik/Xm/
|
||
|
9aKmZZW8306c9Zwgpp9glWjLMCDNxJRGdKRjZsnkt9hOEYsP1irTegystK6u4eHS
|
||
|
mwHX931ENOJsnPfQZCZ9b41Q9doZQ/N/WHstQO8MtA3HIN1sW3wYkGzOLKj4gJfm
|
||
|
bqR/TzQmXyLT1xZa+/yTscaV0P4OlI4vcii/k4DgeSeQVWp9o9DbZFxSCsdYVvPu
|
||
|
jaDMzZnIKoax1GFz/coUAHFQub2rLzaQ5DDbvrkX++UrAjuUtRcSFH0TKhahZmCF
|
||
|
nv117moLfK22Mst/
|
||
|
=bw8T
|
||
|
-----END PGP MESSAGE-----
|
||
|
</pre>
|
||
|
|
||
|
## Step 5: Decryption (optional)
|
||
|
|
||
|
If you created your own public/private keypair in step 1,
|
||
|
and you encryped using `--recipient "Your Test Name"`,
|
||
|
then you can decrypt your document as well!
|
||
|
|
||
|
You will need to specify `--decrypt`, and that's all folks!
|
||
|
|
||
|
<pre class="terminal">
|
||
|
$ gpg --decrypt test-gpg.txt.asc
|
||
|
</pre>
|
||
|
|
||
|
A password dialog will then come up asking for your previously created password.
|
||
|
As long as you remember your password from before and enter it correctly: voila!
|
||
|
|
||
|
<pre class="terminal">
|
||
|
gpg: encrypted with 4096-bit RSA key, ID 6989B986FCBE4225, created 2020-01-02
|
||
|
"Tait Hoyem <tait.hoyem@protonmail.com>"
|
||
|
Rules Of A Good Life:
|
||
|
|
||
|
1. Wash your hands!
|
||
|
2. Work hard!
|
||
|
3. Be firm.
|
||
|
5. Have good friends!
|
||
|
</pre>
|
||
|
|
||
|
## Step 6: Finale!
|
||
|
|
||
|
Ladies and gentleman, you have done it!
|
||
|
You have encrypted our very own document.
|
||
|
(And maybe even decrypted it yourself too :)
|
||
|
|
||
|
If you encrypted using my public key,
|
||
|
feel free to send it to [my email](mailto:tait@tait.tech).
|
||
|
I am happy to verify if it worked.
|
||
|
|
||
|
For more information on this subject, check out [gnugp.org's guide](https://www.gnupg.org/gph/en/manual/c14.html) on using GPG.
|
||
|
They are the ones that make these tools available,
|
||
|
and the [GNU Project](https://www.gnu.org/) has been instrumental in creating the open-source world as it exists today.
|
||
|
Give 'em some love, eh!
|
||
|
|
||
|
Thank you so much for sticking through this whole thing!
|
||
|
Let me know if there is anything that doesn't make sense.
|
||
|
I am happy to improve this guide as time goes on if that is necessary.
|
||
|
|
||
|
Happy hacking :)
|